diff --git a/hosts/nixos/nfss/proxy.nix b/hosts/nixos/nfss/proxy.nix deleted file mode 100644 index b905d37..0000000 --- a/hosts/nixos/nfss/proxy.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, ... }: - -{ - # Traefik dynamic configuration for vps host - services.traefik.dynamic.files."proxy".settings = { - http = { - serversTransports = { - longTimeout = { - forwardingTimeouts = { - dialTimeout = "30s"; - responseHeaderTimeout = "1200s"; - idleConnTimeout = "1200s"; - }; - }; - }; - - routers = { - - deluge = { - rule = "Host(`deluge.home.yanlincs.com`)"; - service = "deluge"; - tls = { - certResolver = "cloudflare"; - domains = [{ - main = "*.home.yanlincs.com"; - }]; - }; - }; - - photo = { - rule = "Host(`photo.home.yanlincs.com`)"; - service = "photo"; - tls = { - certResolver = "cloudflare"; - domains = [{ - main = "*.home.yanlincs.com"; - }]; - }; - }; - - }; - - services = { - - deluge = { - loadBalancer = { - servers = [{ - url = "http://127.0.0.1:8112"; - }]; - }; - }; - - photo = { - loadBalancer = { - serversTransport = "longTimeout"; - servers = [{ - url = "http://127.0.0.1:8080"; - }]; - }; - }; - - }; - - }; - - }; -} diff --git a/hosts/nixos/nfss/system.nix b/hosts/nixos/nfss/system.nix index 06c3fc6..e2a8e06 100644 --- a/hosts/nixos/nfss/system.nix +++ b/hosts/nixos/nfss/system.nix @@ -4,11 +4,9 @@ imports = [ ./hardware-configuration.nix ./containers.nix - ./proxy.nix ../system-default.nix - ../../../modules/vpn/tailscale.nix + ../../../modules/vpn/wireguard.nix ../../../modules/podman.nix - ../../../modules/traefik.nix ../../../modules/borg/client.nix ../../../modules/media/server.nix ../../../modules/file-server/samba.nix @@ -132,9 +130,14 @@ }; }; - services.tailscale-custom = { - exitNode = true; - subnetRoutes = [ "10.1.1.0/24" ]; + services.wireguard-custom = { + enable = true; + mode = "client"; + clientConfig = { + address = "10.2.2.10/24"; + serverPublicKey = "46QHjSzAas5g9Hll1SCEu9tbR5owCxXAy6wGOUoPwUM="; + serverEndpoint = "91.98.84.215:51820"; + }; }; # Media server services diff --git a/hosts/nixos/vps/proxy.nix b/hosts/nixos/vps/proxy.nix index 1743577..9140c3b 100644 --- a/hosts/nixos/vps/proxy.nix +++ b/hosts/nixos/vps/proxy.nix @@ -38,6 +38,17 @@ }; }; + deluge = { + rule = "Host(`deluge.yanlincs.com`)"; + service = "deluge"; + tls = { + certResolver = "cloudflare"; + domains = [{ + main = "*.yanlincs.com"; + }]; + }; + }; + git = { rule = "Host(`git.yanlincs.com`)"; service = "git"; @@ -57,7 +68,7 @@ loadBalancer = { serversTransport = "longTimeout"; servers = [{ - url = "http://10.1.1.152:8080"; + url = "http://10.2.2.10:8080"; }]; }; }; @@ -65,7 +76,15 @@ music = { loadBalancer = { servers = [{ - url = "http://10.1.1.152:4533"; + url = "http://10.2.2.10:4533"; + }]; + }; + }; + + deluge = { + loadBalancer = { + servers = [{ + url = "http://10.2.2.10:8112"; }]; }; }; diff --git a/hosts/nixos/vps/system.nix b/hosts/nixos/vps/system.nix index 0094da4..7033400 100644 --- a/hosts/nixos/vps/system.nix +++ b/hosts/nixos/vps/system.nix @@ -6,7 +6,7 @@ ./containers.nix ./proxy.nix ../system-default.nix - ../../../modules/vpn/tailscale.nix + ../../../modules/vpn/wireguard.nix ../../../modules/podman.nix ../../../modules/traefik.nix ../../../modules/borg/client.nix @@ -44,7 +44,6 @@ firewall = { enable = true; allowedTCPPorts = [ 22 80 443 27017 ]; - trustedInterfaces = [ "tailscale0" ]; }; }; @@ -71,7 +70,17 @@ ]; }; - services.tailscale-custom.exitNode = true; + services.wireguard-custom = { + enable = true; + mode = "server"; + serverConfig = { + address = "10.2.2.1/24"; + peers = [{ + publicKey = "MCuSF/aFZy7Jq3nI6VpU7jbfZOuEGuMjgpxRWazxtmY="; + allowedIPs = [ "10.2.2.10/32" ]; + }]; + }; + }; services.git-server-custom = { enable = true; diff --git a/modules/git/server.nix b/modules/git/server.nix index 301fa22..64e20dc 100644 --- a/modules/git/server.nix +++ b/modules/git/server.nix @@ -49,6 +49,7 @@ in }; service.DISABLE_REGISTRATION = true; actions.ENABLED = true; + repository.DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true; }; }; diff --git a/modules/podman.nix b/modules/podman.nix index c83deed..8b5200d 100644 --- a/modules/podman.nix +++ b/modules/podman.nix @@ -2,6 +2,8 @@ { config = { + boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; + virtualisation = { podman = { enable = true; diff --git a/modules/vpn/wireguard.nix b/modules/vpn/wireguard.nix index 0951726..e388e88 100644 --- a/modules/vpn/wireguard.nix +++ b/modules/vpn/wireguard.nix @@ -1,5 +1,4 @@ -# NOTE: Private key file at: `/etc/wireguard/private.key` with mode 600 -# Generate with: `wg genkey > /etc/wireguard/private.key` +# NOTE: After deploy, get public key with: `sudo sh -c 'wg pubkey < /etc/wireguard/private.key'` { config, pkgs, lib, ... }: @@ -12,192 +11,108 @@ in { options.services.wireguard-custom = { enable = mkEnableOption "WireGuard VPN"; - + mode = mkOption { type = types.enum [ "server" "client" ]; - description = "Whether to run as server (hub) or client (spoke)"; - }; - - interface = mkOption { - type = types.str; - default = "wg0"; - description = "WireGuard interface name"; - }; - - listenPort = mkOption { - type = types.port; - default = 51820; - description = "UDP port to listen on (server mode only)"; }; - privateKeyFile = mkOption { - type = types.str; - default = "/etc/wireguard/private.key"; - description = "Path to private key file"; - }; - serverConfig = mkOption { type = types.submodule { options = { address = mkOption { type = types.str; example = "10.2.2.1/24"; - description = "Server IP address with CIDR"; }; - + peers = mkOption { type = types.listOf (types.submodule { options = { - name = mkOption { - type = types.str; - description = "Peer name for identification"; - }; - - publicKey = mkOption { - type = types.str; - description = "Peer's public key"; - }; - - allowedIPs = mkOption { - type = types.listOf types.str; - description = "IP addresses this peer is allowed to use"; - }; + publicKey = mkOption { type = types.str; }; + allowedIPs = mkOption { type = types.listOf types.str; }; }; }); default = []; - description = "List of client peers"; }; }; }; - description = "Server-specific configuration"; }; - + clientConfig = mkOption { type = types.submodule { options = { address = mkOption { type = types.str; - example = "10.2.2.20/24"; - description = "Client IP address with CIDR"; + example = "10.2.2.2/24"; }; - - serverPublicKey = mkOption { - type = types.str; - description = "Server's public key"; - }; - + + serverPublicKey = mkOption { type = types.str; }; + serverEndpoint = mkOption { type = types.str; example = "vpn.example.com:51820"; - description = "Server endpoint (host:port)"; }; - + allowedIPs = mkOption { type = types.listOf types.str; default = [ "10.2.2.0/24" ]; - description = "IP ranges to route through the tunnel"; }; }; }; - description = "Client-specific configuration"; }; }; config = mkIf cfg.enable { - # Install WireGuard tools - environment.systemPackages = with pkgs; [ wireguard-tools ]; + environment.systemPackages = [ pkgs.wireguard-tools ]; - # Create private key file if it doesn't exist systemd.tmpfiles.rules = [ "d /etc/wireguard 0700 root root - -" - "f ${cfg.privateKeyFile} 0600 root root - -" + "f /etc/wireguard/private.key 0600 root root - -" ]; - # Generate private key on first run systemd.services.wireguard-keygen = { description = "Generate WireGuard private key"; - before = [ "wg-quick-${cfg.interface}.service" ]; + before = [ "wg-quick-wg0.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' - if [ ! -s ${cfg.privateKeyFile} ]; then - echo "Generating WireGuard private key..." - ${pkgs.wireguard-tools}/bin/wg genkey > ${cfg.privateKeyFile} - chmod 600 ${cfg.privateKeyFile} - echo "Private key generated. Public key:" - ${pkgs.wireguard-tools}/bin/wg pubkey < ${cfg.privateKeyFile} - echo "Please add this public key to your peer configurations." + if [ ! -s /etc/wireguard/private.key ]; then + ${pkgs.wireguard-tools}/bin/wg genkey > /etc/wireguard/private.key + chmod 600 /etc/wireguard/private.key + echo "Public key: $(${pkgs.wireguard-tools}/bin/wg pubkey < /etc/wireguard/private.key)" fi ''; }; - # WireGuard interface configuration (combined server and client) - networking.wg-quick.interfaces = { - ${cfg.interface} = mkMerge [ - # Common configuration - { - privateKeyFile = cfg.privateKeyFile; - } - - # Server-specific configuration - (mkIf (cfg.mode == "server") { - address = [ cfg.serverConfig.address ]; - listenPort = cfg.listenPort; - - # Enable IP forwarding and NAT for server - preUp = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i ${cfg.interface} -j ACCEPT - ${pkgs.iptables}/bin/iptables -A FORWARD -o ${cfg.interface} -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE - ''; - - postDown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i ${cfg.interface} -j ACCEPT - ${pkgs.iptables}/bin/iptables -D FORWARD -o ${cfg.interface} -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE - ''; + networking.wg-quick.interfaces.wg0 = mkMerge [ + { privateKeyFile = "/etc/wireguard/private.key"; } - peers = map (peer: { - publicKey = peer.publicKey; - allowedIPs = peer.allowedIPs; - }) cfg.serverConfig.peers; - }) - - # Client-specific configuration - (mkIf (cfg.mode == "client") { - address = [ cfg.clientConfig.address ]; - - peers = [{ - publicKey = cfg.clientConfig.serverPublicKey; - allowedIPs = cfg.clientConfig.allowedIPs; - endpoint = cfg.clientConfig.serverEndpoint; - persistentKeepalive = 25; - }]; - }) - ]; - }; - - # Firewall configuration - networking.firewall = mkMerge [ - # Server firewall rules (mkIf (cfg.mode == "server") { - allowedUDPPorts = [ cfg.listenPort ]; - trustedInterfaces = [ cfg.interface ]; + address = [ cfg.serverConfig.address ]; + listenPort = 51820; + peers = map (peer: { + inherit (peer) publicKey allowedIPs; + }) cfg.serverConfig.peers; }) - - # Client firewall rules + (mkIf (cfg.mode == "client") { - trustedInterfaces = [ cfg.interface ]; + address = [ cfg.clientConfig.address ]; + peers = [{ + publicKey = cfg.clientConfig.serverPublicKey; + allowedIPs = cfg.clientConfig.allowedIPs; + endpoint = cfg.clientConfig.serverEndpoint; + persistentKeepalive = 25; + }]; }) ]; - # Enable IP forwarding for server - boot.kernel.sysctl = mkIf (cfg.mode == "server") { - "net.ipv4.ip_forward" = 1; - "net.ipv6.conf.all.forwarding" = 1; - }; + networking.firewall = mkMerge [ + (mkIf (cfg.mode == "server") { + allowedUDPPorts = [ 51820 ]; + }) + { trustedInterfaces = [ "wg0" ]; } + ]; }; }